Phishing Scam Warning: The Law Pages
BackgroundI noticed a rather unusual phishing scam in the RingoDingo trap (part of a security product in development) and decided to take a look into it.
It's constructed in a way which has an impact - it would probably make most people panic a little... it claims to be from a porn site called "passionateseniors.com"!
This is a "If you don't pay us we'll tell everyone" type scam, containing a bitcoin wallet address and demanding payment - incidentally it is not only illegal to blackmail someone like this in the UK, it's also illegal to participate in blackmail from the side of the target of said blackmail.
I've obscured details which may be useful to malicious actors but you can click-to-enlarge (not in the same way as some of the content on that website I hope) the screenshot below:
I don't even want to look at the alleged senders website tbh :) will assume based on domain name that the content matches the name. It's a good example of a bad scam - notice the misdirection about "my English is poor because I'm from Vietnam" too.
DetailsIt again looks like a case where there's been some sort of compromise somehow relating to the thelawpages.com website. The recipient email address was used once when I registered an account with them in 2016 using an email address specific to that site and I'm not sure that I used the login more than once.
There appears to be a questionable DKIM signature in the received email (I couldn't directly verify it but there are other reasons that it may still be valid).
The domain appears to be registered to The Law Agency / The Law Pages, and there's only a scant reference to an organisation registered in the UK; however the address doesn't match the registrant details and I'm short on time at the moment to investigate further.
As you can see their website is down, showing only an Apache test page with a self-issued TLS certificate:
So overall this looks like thelawpages.com's subscriber database has been compromised, plus potentially the senders email servers have also been compromised - or that they are part of the scam themselves.
Think about it - if you were simply browsing a website, how would they have your email address and be able to record you picking your nose (or anything else as suggested here!).
Please don't fall for this kind of thing. I'll get in touch with the contact for the sender domain and will update if there's anything relevant here.